The discussion on transatlantic jurisdictional tensions could be constructed as one on enabling, or frustrating, free trade. The General Data Protection Regulation holds that personal data may be transferred only to States with an essentially equivalent level of data protection to that in the EU. This so-called adequacy standard pushes third States to enact EU-style regulation and has thus had extraterritorial effect. As the US has not received an overall adequacy decision, EU to US data transfers are based upon sector-specific agreements or other transfer mechanisms. In 2015, the Court of Justice of the EU invalidated the US–EU Safe Harbour agreement, which had enabled many EU–US data transfers for companies, ruling that it infringed privacy and data protection rights. Since then, both parties have renegotiated multiple data transfer agreements, each time to incorporate stronger EU data protection standards. US companies have realised the need to have privacy and data protection approaches closer to those in Europe to be attractive to the EU market. Ultimately, there is perceptible legal diffusion based on EU values. If the EU has managed this diffusion by requiring certain data transfer arrangements, the wider implications are that global data privacy protections are gradually becoming stronger.

This chapter evaluates the key data protection requirements and compliance obligations that governments must account for when entering into contracts with cloud service providers. The chapter concentrates on data protection issues that pose particular barriers for governments attempting to adopt cloud-computing services.

The chapter focuses primarily on understanding how the General Data Protection Regulation (GDPR) impacts the use of cloud computing. This requires an analysis of applicability and jurisdiction, applications of principles, understanding roles and responsibilities under the law, contractual obligations on sub-processors, liability for compliance, and limits on data transfers among others. The chapter also provides an overview of US data privacy law.

The chapter further evaluates recent case law and guidance from the European Data Protection Board (EDPB) and national data protection authorities to draw conclusions regarding GDPR cloud compliance obligations. Specifically, the chapter focuses on challenges and limits to cross-border transfers of data following the CJEU decision in the “Schrems II” case.